October 4, 2018
Western Nations Go On the Offensive Against Russian Cyberattacks
Atlantic Council’s Ben Nimmo warns: polarization is America’s Achilles’ heel
By Ashish Kumar Sen
The US Justice Department indicted seven Russian intelligence officers on charges of hacking anti-doping agencies and other organizations.
Earlier in the day, Dutch authorities accused four Russians, who they said belonged to Russia’s military intelligence agency, the GRU, of attempting to hack into the Organization for the Prohibition of Chemical Weapons (OPCW). The OPCW is investigating the poisoning of former Russian spy Sergei Skripal and his daughter, Yulia, in Salisbury in March as well as chemical weapons attacks in Syria. British officials have accused Russia of using the nerve agent Novichok to poison the Skripals. The website Bellingcat revealed that one of the two suspects in the poisoning is a Russian military officer who was honored by Russian President Vladimir Putin.
Dutch officials also accused the four Russians of spying on the investigation of the 2014 downing of Malaysian Airlines flight MH17 over Ukraine. Again, Russia has been blamed for that incident.
Ben Nimmo, information defense fellow with the Atlantic Council’s Digital Forensic Research Lab, discussed these latest developments as well as Russian attempts to influence US elections and what can be done about it in an interview with the New Atlanticist’s Ashish Kumar Sen. Here’s the text of our interview.
Q: What is the Dutch case?
Nimmo: This morning, the Dutch announced that in April they had detained and expelled four Russians whom they accuse of attempting to hack the Organization for the Prevention of Chemical Weapons (OPCW). According to the Dutch account, these four Russians flew into Amsterdam airport on diplomatic passports; they were welcomed by a member of the Russian Embassy; they had computer and hacking equipment on them, which they then put in the back of a car, drove to the OPCW building, and then parked with the back of the car facing the building in an attempt to hack into the OPCW Wi-Fi network.
According to the British ambassador, the same Russians had been planning to travel on to Switzerland to a place called Spiez, which is where one of the main laboratories that OPCW works with is located. That laboratory has been involved in the investigation into the poisoning of Sergei Skripal in Salisbury.
The timing is tricky because these four Russians were in the Netherlands from the April 10 to 13 this year. That was just over a month after the Skripal poisoning, but it is also just under a week after the allegations of a chlorine gas attack in Douma, Syria, which the OPCW is also investigating. So the likelihood is that they were targeting Salisbury, but they may also have been targeting the Douma incident.
The Dutch said the laptop which one of these guys had—after looking at its activity log—was also associated with attempts to hack the World Anti-Doping Agency (WADA) and elements of the investigation into the shooting down of Malaysian Airlines flight MH17.
MH17 was shot down over Ukraine in July 2014. All the open-source evidence points to a Russian military unit—the 53rd Anti-Aircraft Missile Brigade from Kursk—as being responsible for the shooting down. Russia has put an enormous amount of effort into denying and obfuscating those charges, and also trying to dismiss everybody involved.
The hacking of the World Anti-Doping Agency came at a time when WADA had found Russia conducted largescale state-sponsored doping. After the hack, details of WADA’s internal procedures were leaked which then led Russia to say: “Look, everybody does this. You’re treating us unfairly.”
Q: Were OPCW systems breached?
Nimmo: It doesn’t seem so.
Q: Is there evidence that the Kremlin orchestrated the OPCW hack attempt?
Nimmo: The allegation is that these were members of Russian military intelligence. There are a number of leads pointing to that, not least the fact that one of these men had in his pocket a taxi receipt from the GRU main building in Moscow to the airport, which is a fascinating insight into the bureaucratic nature of the intelligence agency and their expenses dockets.
The men were traveling on diplomatic passports. The Dutch have provided imagery of the passports. Two of the passports had sequential numbers, which suggests that they were from a batch of diplomatic passports set aside for serving intelligence officers. That is similar to what we saw for the agents who were involved in the Skripal poisoning. Their passport numbers were only two or three figures different and again seem to have come from a small list of reserve passports for the intelligence services. They, too, were met at the airport by somebody from the Russian Embassy.
If you put all of that together, there is no way you can explain this away by saying: “Oh, they were just tourists.” [Editor’s note: Russia has dismissed the accusations against the two suspects in the Skripal case saying they were simply tourists who were on a visit to Salisbury.] There are very strong cross-referencing links which associate this with the Russian authorities and the embassy in particular.
Q: What has been the Russian response?
Nimmo: The Russian response has been to deny everything. This is the standard Russian response. The Russian response to any accusation can be broken down into fours Ds: dismiss, distort, distract, and dismay.
We have increasingly seen dismiss—the Russians insulting everybody and saying this is a joke, there is nothing to see here. Distort is probably what we will see next. We saw that in the case of the two agents who were exposed in the Skripal poisoning where the Russian line was that they were just tourists. The distraction will be that they will accuse the Brits and the Americans and the Dutch and everybody else of hacking, too. The dismaying tactic will be: if this goes ahead this will be terribly bad for bilateral relations.
Q: Where are we on the Skripal case?
Nimmo: The latest is that Bellingcat—the investigative unit—has identified one of the two alleged poisoners as a serving member of the GRU who was decorated in Chechnya. In follow-up reporting, the BBC, the Daily Telegraph, and the Guardian went to this guy’s home village and confirmed the identification. So, we have the identification that one of the guys involved was a serving GRU officer and he appears to have been given a medal by President Putin himself. Of course, we have Russia denying it all.
Q: What are the Russians trying to achieve?
Nimmo: The main plank of Russian response efforts in crises like these is to try and dismiss the other side. The OPCW is a very well-viewed Nobel Peace Prize-winning organization with great expertise in chemical weapons. It has now been involved several times in proving that chemical attacks that Russia said never happened actually happened. That was the case with the sarin gas attack in Syria in 2017, which was launched by Assad’s forces, but Russia was involved in supporting Assad. It was the case with the Douma chlorine attack in April this year.
The OPCW is also involved in the Skripal investigation. What happened in the Skripal investigation particularly was that the British came out and said Skripal was poisoned with Novichok—which is a nerve agent developed in the Soviet Union—the Russians denied and dismissed it, and then the OPCW came out and said “we confirm the British findings.” This was a major blow for the Russian communication effort. They have tried various ways of obfuscating what the OPCW said. You even had [Russian Foreign Minister] Sergey Lavrov exposing the name of the Spiez lab, which is not well-regarded diplomatic practice, and distorting what the OPCW actually said.
The OPCW is a key witness and something we repeatedly see in such cases is that there is an attempt to compromise or dismiss the witness.
Q: A number of Western nations, including the United States, expelled dozens of Russian diplomats following the Skripal poisoning. Do you expect a similar international response following these new accusations?
Nimmo: It is early days. There has been a very substantial international response already. This strengthens the British hand, it brings in another actor directly involved in this. You now have the Dutch providing corroborating information. And you the fact that this was a digital attack on the OPCW. The Russian activity has brought more Western players into the game. That will change the public debate. How much it changes the diplomatic side we will have to wait and see. Will there be another round of sanctions, will there be more indictments? We don’t know at this stage. It will be interesting to see what the political tone is from Western countries over the new few days.
Q: There have been mixed opinions here in Washington about Russian attempts to influence the midterm elections in November. Do you see evidence of Russian meddling?
Nimmo: The hard piece of data which I have is that at the end of July Facebook took down thirty-one pages and accounts which they found to be inauthentic. These were all masquerading as progressive groups in the United States organizing anti-Trump activity or posting anti-Trump content. Facebook has not attributed that definitively to the Internet Research Agency [a Russian troll farm engaged in online influence operations], but Facebook shared with the Atlantic Council’s Digital Forensic Research Lab some of the account handles before they took them offline. We have analyzed those accounts and all the evidence points to the fact that these were run by the Russian troll farm. That is a solid data point that looks like troll farm interfering in the American political space broadly. It wasn’t midterm-related at that stage—which was August—but it had all the hallmarks of an Internet Research Agency operation.
Bear in mind, the midterms are a difficult target for anyone because there are so many moving parts all at one time—if you look at it from the outside you have to look at all the different states, all the different races, and you have to work out where it would be interesting to interfere. It’s a very nebulous target.
Compare that with the presidential election: it is pure black and white. Is it going to be the Democrat or the Republican? A presidential election is a much easier target, it is also a much juicier target because you are actually trying to see which president gets in.
When the original Internet Research Agency decided to target the 2016 election, according to the [Special Counsel Robert] Mueller indictment, that decision was taken in May 2014—two and a half years ahead of time. We are now only two years and one month away from the 2020 election. It would be reasonable to assume that the buildup work for 2020 has already begun.
My sense would be: look beyond the midterms, look to 2020, and starting preparing for that because that is a much bigger target and a much easier target.
Q: Are we still vulnerable?
Nimmo: We are more vulnerable than ever. The reason that these information operations have an impact is because there are very polarized domestic constituencies in which it is very easy to hide and into which it is very easy to pass more polarizing messaging. The online debate about politics in America is even more polarized now than it was two years ago. It is now an even more permissive environment on the level of users that it was before.
To be fair, the platforms have really upped their game, the research community has really upped its game, the authorities are really working on this a lot. The official response is much better than it was, but the underlying polarization is still there and that really is America’s Achilles’ heel.
Until you can get the Democrats and the Republicans actually talking with each other again and actually trying to find common ground this will be a vulnerability.
If you look at what the troll farm was doing in 2016, it was inserting itself in entirely genuine movements—Black Lives Matter, the alt-right. These are angry movements that genuinely have a legitimate feeling of discontent, resentment, and hatred. And then you weaponize that hatred. The classic example is when the troll farm organized two simultaneous demonstrations in Houston, Texas, on May 21, 2016. One was protesting against an Islamic cultural center, the other was defending the same Islamic cultural center. The troll farm told the demonstrators to come armed. That’s an attempt to seed violence between Americans but it is focused on real American issues. It is focused on the real question of the Muslim presence in the United States, which for some people is a sensitive issue. It is not creating the problem, but it is weaponizing the problem.
Q: What can be done to address what is obviously a societal problem?
Nimmo: It is a societal problem. There needs to be a solution to the massive problem of hyperpolarization. It is not an easy solution. It is not a communications problem. The American system appears at the moment to incentivize polarizing content. Something about the political structure seems to be leading to the more extreme positions getting more support than the moderate ones. That is an unhealthy situation. It has been like that for a long time. This is not a new phenomenon. But what has happened is that foreign actors have worked out that that situation is ripe for influence operations. You are not going to stop the influence operations unless you find a way to disincentivize polarizing speech and polarizing politics. That is going to be difficult, particularly in a two-party system.
Q: But the United States is not special in this regard. Is what’s happening in the United States not the same as what we’re seeing in Europe and other parts of the world?
Nimmo: There are similar trends in Europe. There are specificities about the US political model. We are seeing attempts everywhere in Europe by domestic and some external actors to find what the most divisive political issues are and then to influence them. It could be migration, relations with Europe, internal political issues, racial or ethnic tensions. Any kind of a tense polarized situation like that is a ripe target for an influence operation. So, the question is: what is the most polarizing issue in a country?
Q: Is Russia behind most of these influence operations?
Nimmo: It is behind the best-known ones, it is certainly not behind all of them. Iranians were involved in largescale influence operations targeting many countries was exposed this summer. This has not been definitively linked to the Iranian government.
President Trump has said that China is involved in election interference. We don’t have the data on that. We are looking forward to seeing what he actually comes out with. Whether that is through sanctions policy, cyber, hacking, we don’t know.
Fundamentally, if you look globally, in more and more countries you are seeing largescale influence and harassment operations online. In most countries they are largely targeting the domestic opposition. But it is worth remembering that in Russia the original Internet Research Agency started off targeting the domestic opposition. That was its primary role. Once you have the capability in place it is a relatively small mental jump to think: “Now that we have targeted the opposition at home let’s target it abroad and let’s target their supporters abroad and let’s target the countries which are supporting them.” Once you have the weapon it is quite easy to turn it outwards. And so there is no room for complacency here.
Russia has been driving the best-known operations so far. It would be unwise to think that nobody else is going to try it next.
Ashish Kumar Sen is deputy director of communications, editorial, at the Atlantic Council. Follow him on Twitter @AshishSen.